b'Office of the Inspector General\nSkip to content\nSocial Security Online\nOffice of the Inspector General\nwww.socialsecurity.gov\nHome\xc2\xa0\xc2\xa0|\xc2\xa0\xc2\xa0Questions?\xc2\xa0\xc2\xa0|\xc2\xa0\xc2\xa0Contact\nUs\nSearch\nAbout\nHotline\nOffices\nResources\nEspa\xc3\xb1ol\nOIG\nHome\nAudit\nReport - A-09-96-91001\nOffice of\nAudit\nAccess Controls for the Social Security\nAdministration\xc2\x92s Telephone Switch at the Western Program Service\nCenter - A-09-96-91001 - 9/24/97\nThis report presents the results of our review of access controls\nfor the Social Security Administration\xc2\x92s (SSA) telephone switch\n(Private Branch Exchange (PBX)) at the Western Program Service Center\n(WNPSC) in Richmond, California. The purpose was to determine the\nadequacy of access controls for ensuring that the telephone system\nis properly used. SSA\xc2\x92s Administrative Instructions Manual System\ninstructs local offices to establish administrative controls and\nregional offices to review long-distance calling practices to prevent\nemployee misuse. However, at WNPSC there is no ongoing monitoring\nof employee long-distance telephone use nor are the security software\ncapabilities of PBX fully implemented. Instances of improperly placed\ninternational calls were noted by SSA staff during the audit field\nwork. Also, the PBX password is neither changed frequently nor expanded\nto additional characters, increasing the risk of unauthorized remote\naccess and calls made through PBX by outside individuals.\nThere are three primary reasons why PBX is vulnerable to telephone\nmisuse. First, telephone call detail reports have not been designated\nby SSA as a system of records under the Privacy Act of 1974, preventing\nthe Agency from linking individual employees with telephone calls.\nAs a result, management cannot use telephone exception reports to\nmonitor long-distance telephone practices of employees. Second, there\nis no staff permanently assigned the responsibility for monitoring\nemployee long-distance telephone use. Third, there is an absence\nof procedural guidance to ensure that PBX security capabilities are\nfully utilized. We recommend, in part, that SSA: establish a system\nof records under the Privacy Act that authorizes SSA to collect call\ndetail report data by individual employees;assign staff responsibility\nfor monitoring employees\xc2\x92 long-distance telephone practices;\nand fully utilize PBX security capabilities to include call blocking,\nexception reporting, frequent changing of passwords, and use of the\nmaximum number of digits possible for the password. We also recommend\nthat SSA assess the need to initiate access controls at other PBX\nlocations.\nExcept for the establishment of a system of records under the Privacy\nAct, SSA agreed with the recommendations.\nINTRODUCTION\nAt WNPSC, all telephone instruments are interconnected and linked\nwith the public network by means of telephone switching equipment\ncalled a PBX. In 1986, SSA purchased a PBX from Northern Telecom\nalong with a software security package and maintenance agreement.\nThe PBX equipment provides access to services on a nationwide network\noperated for the Government under the FTS 2000 contract. Basic network\nservices include domestic and international long-distance telephone\ncalling. SSA reported that, as of July 1993, there were about 1,500\nSSA offices that operated their telephones through SSA-owned telephone\nsystems.\nSSA\xc2\x92s Administrative Instructions Manual System provides overall\nguidance on procedures to control employee telephone usage. Generally,\nfield offices are to ensure that calls are appropriately placed and\nregional offices are charged with reviewing and analyzing long-distance\ncalling practices. The application of PBX software security is provided\nfor in the purchase agreements with commercial vendors, with technical\nguidance from SSA\xc2\x92s Office of Telecommunications.\nRegulations were issued by the Office of Management and Budget (OMB)\non April\xc2\xa020,\xc2\xa01987, establishing procedures for Federal\nagencies to implement call detail programs in compliance with the\nPrivacy Act. The purpose of these programs is to provide agencies\nwith the means of monitoring employee telephone practices to ensure\nthat long-distance services are properly used. The Privacy Act requires\nthat the records only be used for authorized purposes and are protected\nfrom improper access. SSA developed a plan in July 1993 which provided\nfor the use of call detail reports to verify the accuracy of long-distance\ntelephone charges to the Agency. However, the Agency deferred action\nfor establishing a system of records under the Privacy Act which\nwould authorize it to link telephone calls with individual employees.\nThe regulations for managing call detail programs provide a model\ndisclosure statement which agencies can use to establish a system\nof records under the Privacy Act. The statement must include such\ninformation as the routine use of and provisions for accessing, safeguarding,\nretaining, and disposing of the records. Such a system of records\nis needed whenever records are used to link telephone calls with\nindividual employees, a necessary procedure if an agency is to identify\npotential misuse of long-distance service by employees.\nBack to top\nSCOPE AND\nMETHODOLOGY\nOur audit was conducted in accordance with generally accepted government\nauditing standards. Our objective was to assess the adequacy of access\ncontrols to ensure that telephone lines at WNPSC are properly used.\nTo accomplish our objective, we:\n1. held discussions with SSA Headquarters\nand WNPSC staff;\n2. made a physical inspection of the PBX\nsite; and\n3.              reviewed technical and vendor publications related\nto PBX\nequipment and articles on telephone fraud.\nThe audit was conducted\nat WNPSC in Richmond, California, and at the regional office\nin San Francisco, California, from July to November 1996. RESULTS OF AUDIT\nSSA needs to improve access controls for its telephone system at\nWNPSC both as a means of ensuring that employees properly use Government\ntelephones and preventing improper telephone access by third parties.\nThere was neither ongoing monitoring of long-distance telephone practices\nnor was the Agency making full use of available security software\nfor PBX. Reviews of telephone bills at WNPSC by SSA staff disclosed\ninstances of long-distance telephone misuse by employees. Also, software\nsecurity measures could be improved both for preventing and identifying\nimproper employee practices and for preventing improper remote access\nby outside individuals.\nMonitoring Telephone Usage\nSSA was not reviewing telephone usage at WNPSC when we started this\naudit. Subsequently, SSA staff started manually reviewing selected\ninvoices and found several irregularities that required further examination\nto determine if employee abuse of the telephone system had occurred.\nFor example, international calls were made to two foreign countries.\nThere were 21 calls to the Philippines totaling $744.05 from August\n9 to September\xc2\xa013,\xc2\xa01996, and 24\xc2\xa0calls to Mexico totaling\n$107.98 from July 1 to August 27, 1996. These calls were improper\nbecause international calls are not part of normal business conducted\nfrom those telephone lines. Another example involved an employee\nwho charged SSA for membership in a telephone service called "Psychic\nEncounters." These types of telephone misuse can be minimized\nby making use of a PBX software control feature called "call\nblocking."\nCall blocking allows SSA to customize each user\xc2\x92s telephone\naccess to match job needs. An example is to block a user from calling\ninternationally if the individual has no job-related duties requiring\ninternational telephone calls. After detecting the above incidents,\nSSA staff increased the use of call blocking for all "900" number,\ncollect, and calling card calls. At the time of our field work, call\nblocking of international calls was pending because international\nbusiness is done on some telephone lines.\nException reports are a software feature which provide an effective\nand efficient means for SSA to monitor employee long-distance telephone\npractices. An exception report lists telephone calls meeting specific\ncriteria, such as length of calls, international calls, and "900" calls.\nSuch reports can be automated to identify trends which indicate potentially\nimproper telephone practices by individual employees. However, the\nPrivacy Act requires that SSA establish call detail reports as a\nsystem of records in order to use information linking telephone calls\nwith individual employees.\nProtection against Unauthorized Electronic Access to PBX\nAt the time of our field work, the PBX password had not been changed\nin about 5\xc2\xa0years. The password is used by authorized SSA employees\nfor making changes to the PBX configuration, such as adding or removing\nindividual telephone instruments or service features like voice mail,\nlong-distance access, and call blocking. The password can also be\nused by the vendor to access PBX while physically outside WNPSC for\nperforming maintenance and repair from a remote location.\nThe Communications Fraud Control Association (CFCA), a clearinghouse\nfor information on the fraudulent use of telephone services, recommends\nthat passwords be changed frequently. Unauthorized access by SSA\nemployees could lead to such improper changes to the system as the\nremoval of call blocking features or the addition of unauthorized\nlong-distance access lines. Furthermore, an outside individual who\nsuccessfully accesses PBX from a remote location by dialing into\nthe remote maintenance modem can use PBX for making calls anywhere\nin the world.\nAlthough no instances of unauthorized remote access were identified\nat WNPSC, CFCA literature has examples of compromised PBXs that were\nused to incur significant improper costs for long-distance telephone\ncalls. Philadelphia Newspapers, Incorporated, lost $150,000 in 1\nmonth; a Midwestern chemical company lost $700,000 in 3 weeks; and\nan Ohio manufacturer lost $300,000 over a weekend.\nPBX software used at WNPSC allowed SSA to use a maximum number of\nfour digits for the password. Northern Telecom\xc2\x92s security manual\nstates that a hacker can crack a four-digit password within 7 seconds.\nLonger strings of password digits should be used and the password\nchanged frequently to increase the difficulty of compromising the\npassword and having someone gain improper access to the PBX.\nBack to top\nRECOMMENDATIONS\nSSA needs to improve controls over the long-distance telephone practices\nof employees and access to its PBX at WNPSC. In addition, the lack\nof established control procedures indicates that similar control\nweaknesses may exist at other SSA offices. We recommend that SSA:\nestablish call detail reports as a system of records under the\nPrivacy Act and OMB regulations;\nassign staff responsibility for ongoing long-distance telephone\ncall monitoring;\nuse call blocking to prevent and exception reports to identify\nimproper telephone calls;\nchange PBX passwords frequently and request software revisions\nto increase the maximum number of password digits used;\nimprove procedural guidance to ensure that SSA components fully\nutilize available PBX security software; and\nassess the risk of telephone misuse at other PBX locations and,\nif necessary, initiate appropriate access controls.\nSSA Comments\nSSA agreed with our conclusion that controls over the use of SSA\ntelephone systems need to be improved. Corrective actions to implement\nour recommendations have been initiated at WNPSC. Also, SSA plans\nto assess the need for improved controls for its offices nationwide\nand develop guidance to ensure that PBX security software is fully\nutilized and other needed controls are in place.\nSSA, however, did not agree with the recommendation to establish\na system of records under the Privacy Act for call detail reports.\nThe Agency stated that current controls either in place or being\nimplemented will substantially reduce incidents of telephone abuse.\nSSA further stated that the Office of the Inspector General (OIG)\nreport provided no evidence that implementing the recommended system\nof records would be cost-effective. SSA\xc2\x92s written comments in\ntheir entirety are included at Appendix A.\nOIG Response\nThe corrective actions taken at WNPSC should reduce the risk of\nunauthorized access and use of PBX. SSA also agreed to assess the\nneed for and implement, as required, improved controls for its telephone\nsystems nationwide. Without establishing call detail reports as a\nsystem of records under the Privacy Act, however, SSA lacks the authority\nto monitor and, when necessary, take actions against individual employees\nwho place improper personal calls on the Agency\xc2\x92s telephone\nsystems.\nWe acknowledge that there are administrative costs related to implementing\nthe protections required under the Privacy Act for a system of records.\nAlso, we have no basis for estimating the benefits related to such\na system because there is no SSA data on the costs associated with\nimproper telephone use. Nonetheless, the benefit of establishing\nsuch a system should include the deterrent value resulting from SSA\xc2\x92s\ncapability and authority to detect improper telephone practices and\nto pursue administrative and criminal actions against individual\nemployees who misuse the telephone system. The U.S. Department of\nAgriculture, another large and decentralized Federal agency, established\na system of records for call detail records, stating as one objective, ".\n. . deterring or detecting possible misuses of long distance services.\n. ." (Departmental Regulation 3040-2, dated August\xc2\xa031,\xc2\xa01995).\nDavid C. Williams\nBack to top\nAPPENDICES\nMAJOR CONTRIBUTORS TO THIS REPORT\nOffice of the Inspector General\nF. William Fernandez, Director, Program Audits (West)\nJack H. Trudel, Deputy Director, San Francisco\nDavid Gallo, Senior Auditor\nTimothy Meinholz, Auditor\nPrivacy Policy | Website\nPolicies & Other Important Information\xc2\xa0| Site\nMap\nNeed Larger Text?\nLast reviewed or modified'